The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a crucial safety flaw impacting OSGeo GeoServer GeoTools to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
GeoServer is an open-source software program server written in Java that enables customers to share and edit geospatial knowledge. It’s the reference implementation of the Open Geospatial Consortium (OGC) Internet Function Service (WFS) and Internet Protection Service (WCS) requirements.
The vulnerability, tracked as CVE-2024-36401 (CVSS rating: 9.8), considerations a case of distant code execution that could possibly be triggered by way of specifically crafted enter.
“Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions,” in keeping with an advisory launched by the venture maintainers earlier this month.
The shortcoming has been addressed in variations 2.23.6, 2.24.4, and a pair of.25.2. Safety researcher Steve Ikeoka has been credited with reporting the flaw.
It is at the moment not clear how the vulnerability is being exploited within the wild. GeoServer famous that the difficulty is “confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.”
Additionally patched by maintainers is one other crucial flaw (CVE-2024-36404CVSS rating: 9.8) that would additionally end in RCE “if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.” It has been resolved in variations 29.6, 30.4, and 31.2.
In mild of the energetic abuse of CVE-2024-36401, federal businesses are required to use the vendor-provided fixes by August 5, 2024.
The event comes as stories have emerged concerning the energetic exploitation of a distant code execution vulnerability within the Ghostscript doc conversion toolkit (CVE-2024-29510) that could possibly be leveraged to escape the -dSAFER sandbox and run arbitrary code.
The vulnerability, addressed in model 10.03.1 following accountable disclosure by Codean Labs on March 14, 2024, has since been weaponized to acquire shell entry to susceptible techniques, in keeping with ReadMe developer Invoice Mill.
Author: data@thehackernews.com (The Hacker Information)
Date: 2024-07-16 00:01:00
